python flask redirect to https from http

Question

I have a website build using python3.4 and flask...I have generated my own self-signed certificate and I am currently testing my website through localhost.

I am using the python ssl module along with this flask extension: https://github.com/kennethreitz/flask-sslify

context = ('my-cert.pem', 'my-key.pem')
app = Flask(__name__)
sslify = SSLify(app)

...

if __name__ == '__main__':
    app.debug = False
    app.run(
    host="127.0.0.1",
    port=int("5000"),
    ssl_context=context
)

This does not seem to be working however. I took a look in the sslify source code and this line does not seem to be working

def init_app(self, app):
    """Configures the configured Flask app to enforce SSL."""
    app.before_request(self.redirect_to_ssl)
    app.after_request(self.set_hsts_header)

Specifically the function call to redirect_to_ssl (I added my own print statement under the redirect_to_ssl function and my statement was never printed)

def redirect_to_ssl(self):
    print("THIS IS WORKING")
    """Redirect incoming requests to HTTPS."""
    Should we redirect?
    criteria = [
        request.is_secure,
        current_app.debug,
        request.headers.get('X-Forwarded-Proto', 'http') == 'https'
    ]

    if not any(criteria) and not self.skip:
        if request.url.startswith('http://'):
            url = request.url.replace('http://', 'https://', 1)
            code = 302
            if self.permanent:
                code = 301
            r = redirect(url, code=code)
            return r

I am pretty new to python. Any ideas?

score 57 · Answer 1 · edited Apr 30 '21 at 20:25

57

To me, it appears you're making it more complicated than it needs to be. Here is the code I use in my views.py script to force user to HTTPS connections:

@app.before_request
def before_request():
    if not request.is_secure:
        url = request.url.replace('http://', 'https://', 1)
        code = 301
        return redirect(url, code=code)

edited Apr 30 '21 at 20:25

Hartley Brody

8,669
14
37
48

answered Aug 26 '15 at 23:03

Kelly Keller-Heikkila

2,544
6
23
35

3

I'm not sure how it would redirect more than once, unless you have something else that's redirecting from https back to http somewhere, creating a loop. It should only redirect once. – Kelly Keller-Heikkila Jan 03 '17 at 15:04
1

Reason that @HimanshuMishra ran into issues that they are probably terminating SSL. Checking `request.is_secure()` is what you want because it respects the `X-Forwarded-Protocol` header. https://code.djangoproject.com/ticket/14597 – jaysqrd Aug 11 '17 at 22:28
2

I think the change is as simple as: `if not request.is_secure():` as @tuned mentions below. – jaysqrd Aug 11 '17 at 22:29
5

Should actually be request.is_secure – jaysqrd Aug 11 '17 at 22:39
I did try this but if my app is running on port 443 (https), why would the flask app be listening at port 80 (http)? – Cam K Jan 25 '22 at 05:32
@CamK I thought the same thing before, but now started using cloudfoundry and it is running a load balancer in front of my app (listening on HTTP and HTTPS), so I can't use my own SSL cert anymore since the balancer forwards all traffic to my app on HTTP – nmz787 Feb 26 '22 at 08:14
I ended up setting `request.scheme = 'https'`. This way `request.url` `request.base_url` etc. will each be updated. – mochatiger Jan 24 '23 at 21:54

score 18 · Answer 2 · answered Apr 26 '18 at 11:29

18

According with the docs, after pip install Flask-SSLify you only need to insert the following code:

from flask import Flask
from flask_sslify import SSLify

app = Flask(__name__)
sslify = SSLify(app)

I have done it and it works very well. Am I missing something in the discussion ?

answered Apr 26 '18 at 11:29

Rodolfo Alvarez

972
2
10
18

I believe flask_sslify is no longer maintained .. see @Eyal Levin 's answer below – Joshua Wolff Aug 01 '19 at 04:19
Is "app.run" still required and do you specify a port? – Cam K Jan 25 '22 at 12:57

score 17 · Answer 3 · answered Jul 30 '19 at 11:26

17

The Flask Security Guide recommends using Flask-Talisman.

$ pip install flask-talisman

Usage example:

from flask import Flask
from flask_talisman import Talisman

app = Flask(__name__)
Talisman(app)

It forces HTTPS by default (from the README):

force_https, default True, forces all non-debug connects to https.

Personally, I got some errors relating to CSP (Content Security Policy) which I disabled with:

Talisman(app, content_security_policy=None)

But use this at your own risk :)

answered Jul 30 '19 at 11:26

Eyal Levin

16,271
6
66
56

Also added `content_security_policy =None`. I tried GOOGLE_CSP_POLICY but it didn't work with google analytics. Also my "Twitter follow me" button wasn't working either. I didn't bother investigating more for something that was working as is before – Thomas Dec 25 '19 at 03:24
What are the risks of using talisman? – tumbleweed Aug 09 '23 at 07:59

anulaibar · Answer 4 · 2021-02-09T09:20:38.997

15

Thanks to answer from Kelly Keller-Heikkila and comment by jaysqrd I ended up doing this in my Flask app:

from flask import request, redirect
...

@app.before_request
def before_request():
    if app.env == "development":
        return
    if request.is_secure:
        return

    url = request.url.replace("http://", "https://", 1)
    code = 301
    return redirect(url, code=code)

I tried the flask_sslify solution suggested by Rodolfo Alvarez but ran into this issue and went with the above solution instead.

If the app is running in development mode or the request is already on https there's no need to redirect.

edited Feb 09 '21 at 09:20

answered Nov 27 '18 at 13:41

anulaibar

310
2
9

1

I ended up setting `request.scheme = 'https'`. This way `request.url` `request.base_url` etc. will each be updated. – mochatiger Jan 24 '23 at 21:55

score 11 · Answer 5 · answered Nov 24 '19 at 23:58

11

Here is a flask solution if you are on aws and behind a load balancer. Place it in your views.py

@app.before_request
def before_request():
    scheme = request.headers.get('X-Forwarded-Proto')
    if scheme and scheme == 'http' and request.url.startswith('http://'):
        url = request.url.replace('http://', 'https://', 1)
        code = 301
        return redirect(url, code=code)

answered Nov 24 '19 at 23:58

JayS

2,057
24
16

this works for gcp app engine in flex env as well. Great job @edW – Yijin Dec 03 '19 at 20:17
worked for me in cloudfoundry – nmz787 Feb 26 '22 at 08:15
If your request is already setting `X-Forwarded-Proto`, probably better to go with the official `ProxyFix` https://werkzeug.palletsprojects.com/en/2.2.x/middleware/proxy_fix/ like @mdubez's answer. – mochatiger Jan 24 '23 at 21:56

score 5 · Answer 6 · answered Apr 26 '16 at 09:22

The standard solution is to wrap the request with an enforce_ssl decorator that after checking some flags in the app configuration (flags you can set depending on your debugging needs) modifies the request's url with request.url.

As it is written here.

You can modify the code to make it working with before_request as suggested by @kelly-keller-heikkila

score 5 · Answer 7 · answered Oct 02 '19 at 21:51

I use a simple extra app that runs on port 80 and redirect people to https:

from flask import Flask,redirect

app = Flask(__name__)

@app.route('/')
def hello():
    return redirect("https://example.com", code=302)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

score 3 · Answer 8 · answered Jan 16 '20 at 14:04

An alternative to the other answers that I've been able to use with great success:

from http import HTTPStatus
from typing import Optional

from flask import Response, redirect, request, url_for


def https_redirect() -> Optional[Response]:
    if request.scheme == 'http':
        return redirect(url_for(request.endpoint,
                                _scheme='https',
                                _external=True),
                        HTTPStatus.PERMANENT_REDIRECT)


# ..

if app.env == 'production':
    app.before_request(https_redirect)

# ..

score 2 · Answer 9 · answered Aug 04 '21 at 23:24

2

On app engine flex, add:

from werkzeug.middleware.proxy_fix import ProxyFix

def create_app(config=None):

    app = Flask(__name__)
    app.wsgi_app = ProxyFix(app.wsgi_app)

In addition to the solution of:

@app.before_request
def before_request():
    if not request.is_secure:
        url = request.url.replace('http://', 'https://', 1)
        code = 301
        return redirect(url, code=code)

Otherwise it'll cause infinite redirects since SSL is unwrapped behind the proxy but is noted in the headers.

answered Aug 04 '21 at 23:24

mdubez

3,024
1
17
10

2

This should be marked as the correct answer. Using it with the following flags does not seem to need the before request patch: `app = Flask(__name__); app.wsgi_app = ProxyFix(app.wsgi_app, x_host=1, x_proto=1)` – vervas Oct 25 '21 at 08:26
Just these lines - app = Flask(__name__); app.wsgi_app = ProxyFix(app.wsgi_app, x_host=1, x_proto=1) fixed the issue of 'Invalid Redirect URI' for me. App is behind AWS load balancer. Definitely this should be the accepted answer for the OP. – SatyaV Nov 04 '22 at 23:09

score 1 · Answer 10 · answered Dec 02 '19 at 20:43

I ran into the same solution running a Flask application in AWS Elastic Beanstalk behind a load balancer. The following AWS docs provided two steps to configure the environment for http redirects: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-httpredirect.html Following both steps fixed my issue.

One thing to note is that you'll have to create the .ebextenions folder at the root level of your application source bundle and add the config file to that .ebextensions folder. The readme here: https://github.com/awsdocs/elastic-beanstalk-samples explains this in a bit more detail.

score 1 · Answer 11 · answered Dec 14 '20 at 21:28

For some reason it seems, requests from a Private AWS API Gateway with a VPC endpoint don't include the "X-Forwarded-Proto" header. This can break some of the other solutions (either it doesn't work or it continuously redirects to the same url). The following middleware forces https on most flask generated internal redirects:

class ForceHttpsRedirects:
    def __init__(self, app):
        self.app = app
    
    def __call__(self, environ, start_response):
        environ["wsgi.url_scheme"] = "https"
        return self.app(environ, start_response)

# Usage
app = flask.Flask(__name__)
app.wsgi_app = ForceHttpsRedirects(app.wsgi_app) # Add middleware to force all redirects to https

score 1 · Answer 12 · edited Apr 04 '22 at 08:50

1

Use:

app.run(port="443")

All modern browsers automatically use HTTPS when the port is 443 or 8443.

edited Apr 04 '22 at 08:50

vvvvv

25,404
19
49
81

answered Apr 02 '22 at 05:14

Fighter178

303
2
9

score 0 · Answer 13 · answered Nov 28 '18 at 02:38

I'm using cloud foundry python app which is behind a load balancer (like https://stackoverflow.com/users/5270172/kelly-keller-heikkila said) . This resolution helped me by adding (_external and _Scheme to the url_for function). https://github.com/pallets/flask/issues/773

score 0 · Answer 14 · answered Apr 10 '21 at 07:30

I had the same issue and mine is a brute-force solution, but it works. Heroku in the past suggested flask_sslify, which is not maintained anymore. Nowadays the proper way in Flask should be flask-talisman, but I tried it and it has bad interactions with boostrap templates. I tried the anulaibar solution but it did not always worked for me. The following is what I came up with:

@app.before_request
def before_request():
    # If the request is sicure it should already be https, so no need to redirect
    if not request.is_secure:
        currentUrl = request.url
        if currentUrl.startswith('http://'):
            # http://example.com -> https://example.com
            # http://www.example.com -> https://www.example.com
            redirectUrl = currentUrl.replace('http://', 'https://', 1)
        elif currentUrl.startswith('www'):
            # Here we redirect the case in which the user access the site without typing any http or https
            # www.example.com -> https://www.example.com
            redirectUrl = currentUrl.replace('www', 'https://www', 1)
        else:
            # I do not now when this may happen, just for safety
            redirectUrl = 'https://www.example.com'
        code = 301
        return redirect(redirectUrl, code=code)

I have the domain registered in godaddy which is also redirecting to https://www.example.com.

score 0 · Answer 15 · answered Oct 31 '21 at 03:09

0

In my case Flask app is sitting behind AWS API Gateway and solutions with @app.before_request were giving me permanent redirects.

The following simple solution finally worked:

@app.after_request
def adjust_response(response):
    ....
    if response.location:
        if app.env != "development":
            response.location = response.location.replace("http://", "https://", 1)
    return response

answered Oct 31 '21 at 03:09

Altair7852

1,226
1
14
23

This is fixing the symptom, but not the underlying problem. You need to set up Flask to correctly handle headers in the proxy environment for security reasons. [Doing it properly](https://stackoverflow.com/a/45333882/1749551) is actually less code anyway. – Nick K9 Nov 06 '21 at 23:23

score 0 · Answer 16 · answered Aug 24 '23 at 13:36

When you expose the ports the flask in the logs shows what port it is running on?

it cannot serve http and https without their being a listener on both ports.

just run a container that redirects to the the https url serving on port 80 or 8080 depending on access. This is what brought me to this page to see if anyone else wanted to fix such a flask issue.

python flask redirect to https from http

16 Answers16

Linked